Skip to main content

Adatkezelési Tájékoztató ENG

Privacy Policy

 

Dear Customer,

 

We are pleased that you are interested in data protection. We would like to give you an easily understandable overview of the data processing practices and our privacy compliance measures in relation to our delivery websites, applications and related services (we'll call all of these together simply the "platform" below).

 

Our goal is to provide you with an amazing customer experience while keeping your personal data secure. Trust, transparency and honesty are our leading principles.

 

Your trust in our product is the reason why we can provide you with an amazing customer experience.

 

1.         Who We Are

We are Delivery Hero Hungary Kft. (location: 1095 Budapest, Soroksári út 30-34. D. ép. 2. emelet; company registration number: 01 09 668748; tax number: 11187433-2-44), but usually we just use the name foodora. You can always contact us via the following methods:

 

Delivery Hero Hungary Kft., 1095 Budapest, Soroksári út 30-34. D. ép. 2. emelet

E-mail: help@foodora.hu

 

As regards the processing activities conducted on our platform, foodora will be the data controller responsible for what happens with your personal data. "Data controller" is a legal term and simply means that we are the party determining how your personal data is processed, for what purposes this is done and by what means.

 

If you have any questions about data protection at foodora, you can also contact us at any time by sending an email to dpo@foodora.hu.

 

We are a member of the large and fascinating family of the international Delivery Hero Group. As a family, we make certain decisions together. Both our parent company, Delivery Hero SE (Oranienburger Straße 70, 10117 Berlin, Germany) and foodora, to some extent, jointly decide which means we will use to process your personal data and which purposes we consider to be appropriate. This is because the platform uses some of the technology provided by Delivery Hero SE. Legally, this means that foodora is responsible for the collection and subsequent transmission of your data, while Delivery Hero SE is responsible for keeping your data secure afterwards which makes both parties responsible for the storage of your data. Therefore, you are free to assert your rights against both parties in relation to the processing activities listed in this Privacy Policy.

 

If you would like to contact our group’s data protection officer, please reach out to our group data protection officer at dpo@deliveryhero.com (who can also be reached at our physical address: Delivery Hero SE, Oranienburger Straße 70, 10117 Berlin). Please be aware, however, that our group data protection officer will generally not be able to process your data subject requests. These will be responded to solely by the local privacy team which can be reached under the contact details provided above.

 

2.         Privacy Is Your Right and the Choice Is Yours

As a customer, you have the choice which information you would like to share with us. Please be aware, however, that when signing up to our platform, you are required to accept our General Terms and Conditions. Legally speaking, this means you will enter into a contract with us under which you are entitled to use the platform, in accordance with the General Terms and Conditions Of course, we need some information from you to be able to perform our obligation under this contract. However, it is entirely up to you to choose whether you would like to provide such information or would rather not use our platform.

 

Basically, you can take the following steps to control and manage how much personal data you share with us:

 

Cookies & similar technologies: You can set your device or web browser to decline cookies and similar technologies (which is also possible through our consent manager). If you deactivate these technologies, you will no longer see any personalized contents, offers or ads.

 

Direct marketing: If you do not want to receive newsletters or offers from us, you can unsubscribe at any time. In this case, we will not be able to send you any cool offers any more.

 

No data sharing: If you don't want to share any information with us at all, that's a shame. Of course, you are free to decline the creation of a user account. In this case, you are free to decline the creation of an account, or to delete it at any time.

 

3.         Your Legal Rights

Under the EU General Data Protection Regulation (GDPR) and other data protection laws, you can assert the following legal rights against us:

 

Right to access

You have the right to be informed which data we store about you and how we process this data. This also includes receiving a copy of your data.

Right to rectification

If you notice that processed data is incorrect, you can always ask us to correct it.

Right to erasure

You can ask us at any time to delete the data we have stored about you.

Right to restriction of processing

If you do not wish to delete your data, but do not want us to process it further, you can ask us to restrict the processing of your personal data. In this case, we will archive your data and only reintegrate it into our operative systems if you wish us to do so. However, during this time you will not be able to use our platform, otherwise we will process your data again. We will also restrict the processing of your data if you have requested us to delete it but we are not able to comply with your request due to the applicability of statutory retention periods.

Right to data portability

You can ask us to transmit the data stored about you in a machine-readable format to you. In this context, we will make the data available to you in JSON or another customary format.

Right to withdraw consent

You can revoke your given consent at any time or object to the further processing of your data.

Right to object

You are free to object to receiving newsletters or any other direct marketing communications at any time.

 

You also have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is processed on the basis of Art. 6 (1) f) GDPR (data processing on the basis of a balance of interests); this also applies to any profiling for the purposes of Art. 4 (4) GDPR. If you object, we will no longer process your personal data in the future unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms, or which relate to the establishment, exercise or defence of legal claims.

Automated decision-making

On the platform, we do not subject you to any decisions based solely on automated processing, including profiling, producing a legal effect for you or similarly significantly affecting you. However, we do operate on our platform various fraud detection and prevention systems; these will determine in an automated way, based on your behavior on our platform, whether you might be a fraudulent actor.

 

Our systems allow to provide you with a personalized user experience on our platform so if this this feature is available on our platform, you will see contents based on your previous orders or meal preferences.

 

In any case, you always have the right to contact us and challenge a decision made by our automated systems. To do this, just get in touch with us.

Right of complaint

If you believe that we have done something wrong with your personal data or your rights, you can complain to a supervisory authority (National Authority for Data Protection and Freedom of Information; registered office: 1055 Budapest, Falk Miksa street 9-11; postal adress: 1363 Budapest, Pf. 9. ugyfelszolgalat@naih.hu, https://www.naih.hu) at any time. You can raise a complaint about our processing of your personal data with the data protection authority in the EU Member State of your habitual residence, at our seat of business, your place of work or the place where you think a violation of the GDPR has occurred. You can also lodge a complaint with our international lead supervisory authority in Berlin, Germany. In addition, you can also choose to take your case to the courts in the place where we are established or in the place where you live. The court will decide the case out of turn. Legal proceedings relating to the protection of personal data are free of charge.

 

To exercise your rights, you can use the functions provided in your user account at any time. For example, if you would like to delete your data, or receive a copy of it, you can do so directly by logging in to your profile, if you click on the user's name in the top right corner of the web and select "Delete account" in the "Profile" menu, or "Download Json" or "Download Pdf" to access your data, and in the app, select "Delete account" in the left-hand sidebar under "My profile". You can also contact our customer support team for assistance at help@foodora.hu or our data protection team at dpo@foodora.hu.

 

Please note that we are usually receiving a large number of requests - so self-service deletion or access to your personal data will always be the fastest way to exercise your rights.

 

4.         An Overview of The Personal Data We Process

In this section you can find general information about the categories of personal data we process about you. For your understanding, personal data is information that directly identifies you (such as your name or photo picture) or enables us to indirectly identify you (for example, on the basis of a user ID linked with the personal information in your profile).

 

You will find more detailed information on our processing activities below, in the next section. But our data processing activities on the platform can be summarized by reference the main categories of personal data:

 

a.                    Account data (master data)

 

This includes your name, email address, password, telephone number, country.

 

 

Why do we process this category?

This data is your master data, which we absolutely need for you to use our platform. Without an email address / telephone number and a password, you cannot create a profile. Together with your name, this is your master data.

 

b.                   Delivery data

 

This includes your name, delivery address, phone number, order details and order ID.

 

Why do we process this category?

We use riders for delivery, when you order from foodora delivery partner. In all these cases we send your personal data to the riders so that they can deliver your order quickly. If our riders cannot reach you at the delivery address you provided, they have received instructions from us to call you so that the problem can be solved easily.

Furthermore, when you give an order, we send your personal data to the partners so that they can fulfil your order and deliver it quickly. If a product of your choice is not available for delivery, they have received instructions from us to call you so that the problem can be solved easily.
In the case of an order from a foodora delivery partner, we do not send the personal data neither to the Vendor Portal interface used by the Partners nor to the tablet used for receiving orders the personal data will only be shown on the receipt printed from the tablet (the adress and the e-mail address will not be sent to the receipt either), the partner will only use the data to verify the order and checking the takeover process, and will not record or store it in any way, Partner need to ping it to the product.

By placing your order, you accept the partner's privacy policy. We declare that we do not take any responsibility for the legality of the data processing after the handover to the partner. You shall get information about privacy policy of the partner on the partner’s contacts.

The partners have no claim whatsoever to your personal data and under no circumstances may they use it for their own purposes. If you should nevertheless be contacted by a partner without your prior consent, we ask you to report this to us by e-mail to dpo@foodora.hu.

 

In accordance with the principle of data minimization, we only provide our riders and restaurants with the information that they need from you to prepare and deliver your order.

 

c.                    Order history data

 

This includes your order history, selected restaurants, invoices, order ID, comments on orders, information on payment method, delivery address, successful orders and canceled orders.

 

Why do we process this category?

Each time you place an order, this information will be added to your profile. You can view all this information in your profile at any time. We will use this information to improve our services and optimize the platform for your interests.

 

d.                   Location data

 

This includes your address, postcode, city, country, as well as your device’s longitude and latitude.

 

Why do we process this category?

We need this data to be able to deliver your orders (or enable the restaurant you have ordered from to deliver it to you). We create the longitude and latitude automatically in order to be able to process your delivery address in our other linked systems, such as our Pandarider app, and to display your address to our riders.

 

e.                    Device information and access data

This includes your device ID or other device identification, operating system and corresponding version, time of access, configuration settings, and your IP address.

 

Why do we process this category?

Each time you access our platform this information is stored by us for technical reasons. We also use parts of this information to detect suspicious behavior at an early stage and to protect our platform.

 

f.                     Customer care data

 

This includes your name, address, telephone number, user account ID for the platform, email address, or your ID from any social media.

 

Why do we process this category?

If you have a complaint about our services and you contact us, we will process the information we obtain during the contact for the purpose of handling and tracking complaints, and to verify your identity, the exact date and content of the complaint, and the information provided in relation to the complaint. This also applies when you comment to us through your foodora profile on various social media platforms. We do not combine this data with your Account data, but we can still identify you based on your identifier from the social media platforms.

 

g.                   Marketing contact and communications data

 

This includes your name, email address, telephone number, and device ID.

 

Why do we process this category?

If you would like to receive an email, an SMS or an in-app push notification from us, we need certain information to send you the messages. Instead of addressing you with "Hey You", we find it more customer friendly to address you with your name. This category of personal data is also used by us to contact you, for example, if product or delivery needs to be agreed.

 

h.                   Payment data

 

This includes your payment method, and encrypted, pseudonymized credit card information.

 

Why do we process this category?

We need this information to initiate your payments and assign them to the orders you have placed. We also need this data to store your payment information for future orders (if you give us your consent to do so).

 

We inform you that in case of payment by credit card or SZÉP card, we do not process, collect, store or have access to any card data necessary for the payment transaction.

 

Payment by credit card is made through electronic systems operated by the following payment service providers, which are completely independent of the Platform and have contracted with us to provide payment by credit card:

- Adyen N.V., registration number: 34259528, registered office: Carmiggeltstraat 6-50, 1011 DJ Amsterdam, the Netherlands, or via the Adyen payment system operated by.

- OTP MOBIL Szolgáltató Korlátolt Felelősségű Társaság (1143 Budapest, Hungária krt. 17-19.; company registration number: 01-09-174466) or through the Simple Pay system operated by OTP MOBIL Szolgáltató Korlátolt Felelősségű Társaság (1143 Budapest, Hungária krt. 17-19.; company registration number: 01-09-174466).

In the case of payment by credit card, you agree that the following personal data processed by us may be transferred to OTP Mobil Kft. (1093 Budapest, Közraktár utca 30-32.) as the data controller. The data transmitted include: surname, first name, country, telephone number, e-mail address. Purpose of the data transfer: customer service assistance to users, confirmation of transactions and fraud monitoring for the protection of users.

In the case of payment by SZÉP card, you agree that the following personal data processed by us will be transferred to BIG FISH Payment Services Kft. (headquarters: 1066 Budapest, Nyugati tér 1-2.) as the data controller. The scope of the data transmitted includes: first name, surname, first name, IP address, billing address, delivery address, telephone number, e-mail address, last four digits of the credit card number. The purpose of the data transfer is to enable the data communication necessary for payment transactions between us and the payment service provider's system and to ensure the traceability of the transactions for us.

When paying by credit card or saving credit card data, we do not process, collect or store any card data necessary for the payment transaction, we do not have access to these data in any way, they are processed by the payment service providers providing the credit card payment option.

 

5.         Our Detailed Processing Activities, Processing Purposes & The Applicable Legal Basis

We only process your data if this is lawful and you can reasonably expect it to be processed. Still, in order to be able to offer you our online platform, the processing of your personal data is essential. You do provide us with some of this data proactively by entering them on your device. Other data we collect automatically when you are using our platforms.

 

 

 

We process your personal data as follows:

 

a.                    Creating and operating your account, delivering your orders, providing our platform

 

      Account creation

 

When creating a customer account you will be asked to enter your account data. This is absolutely necessary, as we cannot create a customer profile without this data. Your email address and telephone number are particularly important, as we can use this information to identify you in our system the next time you want to log in again. To your account we will assign a unique identifier, a so-called user ID.

Categories of personal data:

Account data (master data)

Date of creation of account

 

Legal basis:

Art. 6  (1) b) GDPR, performance of contract.

 

Duration of processing:

3 years from the date of the last login for Account data (master data) and the Date of creation of account.

 

      Single-Sign-On with Facebook

 

If you have a Facebook profile, you can register on our platform to create a customer account or to register using the "Facebook Connect" function provided by the social network Facebook, operated by Meta Ireland Limited 4 Grand Canal Square, Grand Canal Harbour, Dublin, Ireland ("Meta"), within the framework of the so-called single sign-on technology. You can recognize the social plugins of "Facebook Connect" on our website by the blue button with the Facebook logo and the label "Login with Facebook" or "Connect with Facebook" or "Log in with Facebook" or "Sign in with Facebook".

 

By using this "Facebook Connect" button on our website, you can log in or register on our website using your Facebook user data. Only if you give your express consent prior to the registration process on the basis of a corresponding note on the exchange of data with Facebook, will we receive the general and publicly accessible information stored in your profile when using the Facebook "Facebook Connect" button on Facebook, depending on your personal data protection settings on Facebook. This information includes user ID, name, profile picture.

 

Further information on the Facebook Login can be found at: https://www.facebook.com/privacy/explanation.

 

 

Categories of personal data:

Account data (master data)

Facebook account data

 

Legal basis:

Art. 6 (1) a) GDPR, consent

 

Duration of processing:

For Account data (master data) and Facebook account data, until your consent is withdrawn, but no longer than 3 years from the last login.

 

      ​​Single-Sign-On with Google

If you have an account with Google, you can use this account to log in to our service. Google accounts for European users are provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland"), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 ("Google").

By using the “Continue with Google” button on our website, you can log in or register on our website using your Google user data. Only if you give your express consent in accordance with Art. 6 Para. 1 (a) GDPR prior to the registration process on the basis of a corresponding note on the exchange of data with Google, will we receive your Google user ID, user name and email address. We will never receive your Google password and cannot log in to your Google account. You can learn more about data sharing with Google when logging in to our service with Google by reviewing Google’s explanations here: https://support.google.com/accounts/answer/112802.

The data transmitted by Google is stored and processed by us solely for the creation of a user account with the necessary data.

Categories of personal data:

Account data (master data)

Contact Information

Google ID and associated account data

 

Legal basis:

Art. 6 (1) (a) GDPR, Consent

 

Duration of processing:

For Account data (master data), as well as contact information and the associated Google ID and user account data, until your consent is withdrawn, but no longer than 3 years from the last login.

 

      ​​Single-Sign-On with Apple

If you have an account with Apple, you can use this account to log in to our service. Apple accounts for European users are provided by Apple Computer Limited, Hollyhill Industrial Estate, Cork, Ireland ("Apple Ireland"), a subsidiary of Apple Inc., One Apple Park Way, Cupertino, CA 95014, United States.

By using the “Continue with Apple” button on our website, you can log in or register on our website using your Apple user data. Only if you give your express consent in accordance with Art. 6 Para. 1 (a) GDPR prior to the registration process on the basis of a corresponding note on the exchange of data with Apple, will we receive your Apple user ID, user name and email address. We will never receive your Apple password and cannot log in to your Apple account. You can learn more about data sharing with Apple when logging in to our service with Apple by reviewing Apple’s explanations here: https://support.apple.com/en-us/HT204053.

The data transmitted by Apple is stored and processed by us solely for the creation of a user account with the necessary data.

Categories of personal data:

Account data (master data)

Contact Information

Apple ID and associated email address

 

Legal basis:

Art. 6 (1) (a) GDPR, Consent

 

Duration of processing:

For Account data (master data) and contact information and Apple ID and associated email address, until your consent is withdrawn, but no longer than 3 years from the last login.

 

      Managing your profile

 

You can log in to your profile at any time and change your personal data, such as name, email address or telephone number. You can also view your previous orders.

 

Categories of personal data:

Account data (master data)

Location data

Order history data

Device information and access data

Marketing contact and communications data

Payment data

 

Legal basis:

Art. 6 (1) b) GDPR, performance of contract.

 

Duration of processing:

3 years from the last login for Account data (master data).

Data of previous orders, payment data: eight years from the date of the order in accordance with Section 169 (2) of the Act on Accounting (Act on Accounting).

Location data shall be retained for five years from the date of the order in accordance with the general limitation period of the Civil Code.

Device information and access data will be retained until the consent is withdrawn, but no longer than three years from the last log-in.

For marketing contact and communication data, if you have given direct marketing consent, the data will be retained until your consent is withdrawn.

 

      Order processing

 

Once you have successfully registered and decided to place your order, we will store this information in your profile and process it in further processes so that you can submit your order to us. When you submit your order, your personal data is transferred to our backend where it is transferred to other systems for further processing. Please note that order processing might necessitate the processing of special categories of personal data in those cases where you are purchasing a product that is not qualified as medicinal product, as this will reveal the medical condition you are attempting to alleviate by ordering this specific product. In this case we will make sure to collect your prior consent or otherwise meet the requirements of Art. 9 GDPR. However, generally speaking, your order of a product that is not qualified as medicinal product will not be considered special categories of data.

 

Categories of personal data:

Account data (master data)

Order data

Delivery data

Location data

Device information and access data

 

Legal basis:

Art. 6 (1) b) GDPR, performance of contract.

 

Duration of processing:

3 years from the last login for Account data (master data).

For order data, eight years from the date of the order in accordance with Section 169 (2) of the Act on Accounting (Accounting Act).

Delivery data, location data are kept for five years in accordance with the general limitation period of the Civil Code.

Device information and access data will be retained until the consent is withdrawn, but no longer than three years from the last log-in.

 

 

 

 

      Storing your cart for later

 

After you have logged in to your profile and made your selection, the products will be saved in your profile. If you accidentally close your browser or app, you can continue to the last point of your order. We store this data to provide you with a better ordering experience where you can conveniently continue your order with browsers or apps that are accidentally closed.

 

Categories of personal data:

Account data (master data)

Device information and access data

Order data

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

Duration of processing:

Until consent for device information and access data is withdrawn, but no longer than 3 years from the last login.

With regard to order data according to Section 169 (2) of Act C on Accounting, eight years from the date of the order.

 

      Delivering your order

 

Once you have successfully placed your order, a number of processes are running in the background to ensure that your order is delivered quickly. This includes sharing your order data with the restaurant preparing your meal as well as with the rider delivering your order if the order is delivered by us. In this context, please be informed that we use different types of riders for delivery. These can be permanent employees, freelancers or riders employed by third-party logistics companies.

 

Categories of personal data:

Delivery data

 

Legal basis:

Art. 6 (1) b) GDPR, performance of contract.

 

Duration of processing:

The delivery data are kept for five years in accordance with the general limitation period of the Civil Code.

 

      Enabling calls from riders or restaurants to check on your order

 

If a product of your choice is not available for delivery or our riders cannot reach you at the delivery address you provided, they have received instructions from us to call you so that the problem can be solved easily. Both the restaurants as well as the riders have no claim whatsoever to your personal data and under no circumstances may they use it for their own purposes. If you should nevertheless be contacted by a restaurant without your prior consent, we ask you to report this to us by e-mail to dpo@foodora.hu. By placing your order, you acknowledge that by transferring your order data to our Partners, your personal data will also be processed by our Partner as a separate data controller, which is necessary for the performance of the contract between you and our Partner. We shall not be liable for the lawfulness of the processing of this data by the Partner after the data has been transferred to the Partner. For information on Partner's data management practices, please contact Partner.

           

Categories of personal data:

Delivery data

 

Legal basis:

Art. 6 (1) b) GDPR, performance of contract.

 

Duration of processing:

The delivery data are kept for five years in accordance with the general limitation period of the Civil Code.

 

      Saving your payment methods

 

In order to make the ordering process even more convenient for you, we offer to save your preferred payment method. This means that you don't have to enter your payment details again the next time you place an order. Your payment data will be stored securely and we’ll make sure it stays encrypted at all times. Restaurants will never receive your payment data.

 

Categories of personal data:

Payment data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

With regard to payment data according to Section 169 (2) of Act C on Accounting, eight years from the date of the order.

 

      Restaurant and user reviews

 

We provide you with an opportunity to review restaurants, shops and other vendors on our platform. In the foodora Mobile App or on the foodora website, you can submit a rating in a pop-up window or other interface, and by submitting a rating, you agree to pass your rating on to our partner so that our partner can receive the relevant information to improve its services. The transfer of the evaluation data is anonymous and does not include your personal data.

Categories of personal data:

Account data (master data)

Review contents & identity of vendor (i.e. restaurant/shops) you have interacted with

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

Duration of processing:

3 years from the last login for account data (master data).

Data relating to the evaluation will be kept for five years in accordance with the general limitation period of the Civil Code.

 

·       System messages

 

We may send you information about the operation of our services and website in a variety of ways, the content of which may vary, but which should never be considered a marketing solicitation. The information may be sent by email, SMS or Push message. For example, we may use our system messages to inform you about information relating to your order, delivery, changes to the T&Cs, maintenance of the website or our services, changes to your account.

 

Categories of personal data:

Account details (master data)

 

Legal basis:

Legitimate interest (Art. 6 para. 1 (f) GDPR).

Our legitimate interest is that the information specified in this section reaches you, which is also in your interest in all cases, as you can use our services efficiently and with satisfaction.

 

Duration of processing:

3 years from the last login.

 

·       Complaint handling

 

As you can read in section 4.f. of this Privacy Policy, if you have a complaint about our services, you can of course make a complaint. We recommend that you send your complaint primarily via the customer service chat interface. You also still have the option to make your complaint by telephone, orally or in writing.

 

Categories of personal data:

o   In case of chat conversation: name; subject and content of the complaint

o   In case of written complaint: name, address or e-mail,

o   In case of chat conversation, oral complaint or complaint by phone call if the complaint could not be handled immediately, we prepare a minute which contains the following data: name, address; place, date, mode and content of the complaint; special identifying number of the complaint

o   In case of phone call recording: the voice of the caller; the information provided during the phone call

 

Legal basis:

Legal obligation pursuant to Act. CLV. of 1997 on Consumer protection, paragraph 17/B

 

Duration of processing:

With regard to the minutes of the complaint and copies of the replies to the written complaints, three years pursuant to Act CLV of 1997 on Consumer protection, paragraph 17/A (7).

 

b.                   Fraud detection, prevention and security of our platform and your account

 

In order to protect our customers and our platform from possible attacks, we continuously monitor the activities on our websites and mobile applications. To keep the platform secure and guarantee you a safe ordering experience, we use various technical measures to ensure that suspicious behavior patterns are detected at an early stage and prevented as early as possible. To achieve this goal, several software-based monitoring mechanisms run in parallel and prevent potential attackers from damaging our platform.

 

The decision-making process is automated and could potentially have an impact on the use of your registered account on our platform. If any such decision leads to a negative result for you and you do not agree with the outcome, you can contact us at dpo@foodora.hu. In this case, we will individually assess the circumstances of your case. All of our fraud detection and prevention algorithms are always open to human review. If you think that a mistake has been made we are happy to look into it and make corrections, if necessary.

 

Categories of personal data:

Account data (master data)

Device information and access data

Payment data

Order data

Voucher information

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

Duration of processing:

3 years from the last login for account data (master data).

For device information and access data, until you withdraw your consent, but no longer than 3 years from the last login.

For payment data, eight years from the date of order according to Section 169 (2) of Act C on Accounting.

With regard to order data and coupon information, eight years from the date of the according to Section 169 (2) of Act C on Accounting.

 

Direct marketing

 

      Newsletters and user surveys by email and/or text message

 

If you have provided us with your email address when signing up for our platform, by ticking the relevant checkbox, or, if available on the interface, in your own user account, or at our request, we will send you by email, SMS or other text message regular offers of goods or services similar to those offered on our platform. We are constantly striving to improve our services. Your constructive feedback is very important to us. Therefore, our direct marketing newsletters might also include surveys where we ask for your honest feedback. So we will occasionally also send you customer surveys and ask you to give us your opinion.

 

If you have objected to receiving such communications when registering your account, or at a later point in time, you will not receive any direct marketing emails. You are of course always free to opt out of such emails. In this case, we will store your contact details in a list of customers who have objected to receiving direct marketing, to make sure we can continuously comply with your objection.

 

Not only do the contents of our newsletters and surveys vary, but so do the technologies and criteria we use to design our newsletters and segment customer groups. For example, a group of customers may receive a special newsletter promoting special deals from restaurants where customers have ordered. Other newsletters may refer to specific products that relate to a particular flavour, such as sushi, Indian cuisine or pizza. We use different information from your order history and delivery addresses to create these tailor-made offerings for you. Please be also aware that we are recording, in a pseudonymous manner, key performance indicators to assess the effectiveness of our direct marketing campaigns. This includes aggregated information about the opening and click-through rate for our direct marketing messages.

 

This is a profiling process in which we automatically process your data. The specific customer segmentation will not have a legal effect on you, nor will it similarly significantly affect you. The only effect you will notice are interesting offers on our platforms, bespoke to your interests and meal preferences.

 

Nonetheless, if this automated decision-making leads to a negative result for you and you do not agree with this, you can contact us at support@foodora.hu. In this case, we will opt you out of customized newsletter communications and you will no longer receive any such messages going forward.

 

Categories of personal data:

Account data (master data)

Location data

Order data

Device information and access data

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

ATTENTION: As already mentioned, you are entitled to object to the use of your email address for the aforementioned advertising purposes at any time, and free of charge, with effect for the future by changing your message preferences, using the “unsubscribe” button at the end of a newsletter, or by contacting us to the email address already mentioned.

 

      App notifications

 

We are always working to give you an amazing customer experience. To achieve this, we negotiate very good deals for you with our restaurant partners on your behalf or if you activate push messages on your mobile phone, and you activate push messages on your mobile device and give your active consent to sending marketing push messages by clicking the checkbox on the app, we will be able to inform you about these offers. You can disable the sending of promotional push messages in your application at any time.

 

Categories of personal data:

Location data

Account data (master data)

Order information

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

 

c.                    Online marketing

 

Convincing potential customers that we offer an amazing customer experience, and that every visit to our platform is worthwhile, is one of our key business priorities. In order to reach as many potential customers as possible, we are very active in the field of online marketing. As a consequence, we conduct the following online marketing activities to attract new customers to our platform:

 

 

      Targeting

 

In principle, targeting means simply showing online advertisements (e.g. by showing banners on websites, or delivering ads on social media service timelines) tailored to specific target groups. We strive to deliver to you only advertisements that are in fact relevant for your interests and bring added value to your online experience.

 

In our targeting process, as a first step, we define a target group based on certain criteria such as location, meal preferences and secondly,  we commission our service providers to show our advertising to the defined target group, both on our own websites as well as on online properties owned and operated by third-party publishers. To better define the intended target groups, we segment customer types and place different ads on different portals. We will use pseudonymous data for this purpose only. That means we will not be able to identify individual persons within the defined target groups.

 

      Retargeting

 

As soon as you have visited our platform and, for example, have already placed an order in your shopping cart, we record this information through cookies and other web-tracking technologies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not yet completed your order. We don't want you to miss out on our amazing customer experience.

 

Categories of personal data:

Device information and access data

Location data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

 

      Cookies and similar technologies

 

In the context of our online marketing activities we also use cookies and similar technologies. As stated above, these technologies help us to recognize your device and deliver to you only the type of advertisements relevant to your interests. As a matter of principle, our web technologies will process your device information and access data in pseudonymous form only. This means that we will not be able to identify you as a person on the basis of this data and we will not be able to attribute your interactions outside of our platform to your user account with us.

 

To give you all the information you need, we have prepared a comprehensive Cookies, SDKs and Similar Technologies Policy explaining not only the details of our web-tracking technologies but also explaining how exactly you can opt-in or opt-out of the use of web-tracking technologies on our website.

 

Categories of personal data:

Device information and access data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

You can find information about cookies in detail in the cookie policy, which can be found at the following link: https://www.foodora.hu/contents/cookies

 

      Loyalty program

 

We want to reward our customers' loyalty with attractive deals and points. For this reason, we offer our customers the opportunity to participate in customer loyalty programs. Participation in the Loyalty program requires your consent. You can revoke your consent at any time for the future. Please send us an email to dpo@foodora.hu for this purpose.

 

Categories of personal data:

Account data (master data)

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

 

      Sweepstakes

 

We sometimes run sweepstakes to provide our customers with the chance of winning prizes in relation to our platform (this might be a voucher, special offer or other cash-value award). Before you participate, we will ask you to grant us your consent to process your personal data for the purpose of signing you up for the campaign. If you refuse to grant your consent we cannot offer you to take part in the sweepstake.

 

If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to help@foodora.hu In this case, we will exclude you from participating in our sweepstakes and you will not receive any further invitations to sweepstakes.

 

 

Categories of personal data:

Account data (master data)

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

 

      User interviews for market research purposes:

 

We always develop new products and try to adapt our platform to the wishes of our customers. In order to measure the effectiveness of these changes, we regularly offer interviews with our User Experience team. In these interviews we record your usage behaviour and ask you for possible optimisation possibilities.

 

Participation in the interviews requires your consent. If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to help@foodora.hu. In this case we will exclude you from participating in our interviews and you will not receive any further invitations for them.

 

Categories of personal data:

Account data (master data)

Order history data

Delivery data

 

Legal basis:

Art. 6 (1) a) GDPR, consent.

 

Duration of processing:

For marketing contact and communication data, if you have given direct marketing consent, the data will be kept until your consent is withdrawn.

 

      Vouchers

 

We often offer vouchers for our platforms. The reasons can vary. The purpose of these vouchers is to reward our loyal customers and to encourage them to continue to lead our loyal customers. In order to be able to check the number, the value and the frequency of use of the vouchers, but also to avoid misuse of these vouchers, we collect various personal data.

 

Categories of personal data:

Account data (master data)

Voucher information

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

Duration of processing:

3 years from the last login.

 

d.                   Social Media Sites

 

We have profiles on various social media platforms on which we advertise our products and interact with customers. Since we operate these profiles on third-party platforms, including Facebook and Instagram, each time you visit these social media offerings the operators of these social media platforms collect different personal data from you. The social media platforms Facebook and Instagram are operated by Meta Platforms Ireland Ltd., 4 Grand Canal Place, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

 

      Responsibilities

 

We and the respective operators of the social media platforms act as joint controllers with respect to the collection of your personal data on our social media sites, as well as the analysis of the use of our social media sites by social media users. For this purpose, we and Meta have agreed on a joint controllership agreement in accordance with Art. 26 GDPR.

 

Also, the operators of the social media platforms themselves are data controllers for the general use of their social media services and interactions outside our profiles and social media sites. This sole responsibility also applies to any processing of your social media account data for purposes other than analyzing the traffic on our social media sites.

 

The following links will show you exactly which data is collected by the respective social media operators:

Privacy Policy Facebook

Privacy Policy Instagram

 

      Data processing

 

Meta provides page administrators with aggregated statistics and insights that help them understand the types of actions people take on their pages ("Page Insights"). Please be informed that we only receive aggregated user reports from Meta. At no point can we attribute any page visit or other interaction to individual social media profiles.

 

When you visit or interact with one of our social media sites or its content, information such as the following may be collected and used to create Page Insights:

 

-       Viewing a page, or a post or video from a page

-       Following or unfollowing a page

-       Liking or unliking a page or post

-       Recommending a page in a post or comment

-       Commenting on, sharing or reacting to a page post (including the type of reaction)

-       Hiding a page's post or reporting it as spam

-       Clicking a link to a page from another page on Facebook or from a website off Facebook

-       Hovering over a page's name or profile picture to see a preview of the page's content

-       Clicking on the website, phone number, Get Directions button or other button on a page

-       Whether you're on a computer or mobile device while visiting or interacting with a page or its content.

 

      Your data subject rights

 

As part of our agreement with Facebook, with respect to our social media sites, we have determined that Meta as the company operating Facebookis primarily responsible for fulfilling its information obligations in connection with the Page Insight data and for ensuring that you exercise your rights under the GDPR. For more information about your data subject rights on Facebook, please see Facebook's Page-Insights Privacy Policy.

 

e.                    Mergers & acquisitions, change of ownership

 

We would also like to inform you that in the event of a merger with or acquisition by another company, we will be required to disclose certain limited information to that company. Of course, we will require the company to comply with the legal data protection regulations. We will keep the extent of the data to the absolute minimum required to conduct the transaction.

 

Categories of personal data:

Delivery data

Location data

Account data (master data)

Device information and access data

Order data

Customer care data

Marketing contact and communications data

Payment data

Voucher information

 

Legal basis:

Art. 6 (1) f) GDPR, legitimate interests.

 

6.         Whom We Share Your Personal Data With

We never give your data to unauthorized third parties. However, to run our business efficiently, we obtain the services of selected service providers and give them limited and strictly monitored access to some of our data. However, before we forward personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and prove their data protection level with appropriate documentation.

 

a.                    Delivery Hero Group Companies

 

As we already let you know at the beginning of this Privacy Policy we are part of an international group of companies with legal entities in many parts of the world. This also includes our group’s headquarters operated by Delivery Hero SE in Berlin, Germany. To use our resources efficiently and ensure that our business processes are functioning properly, we will share personal data with our joint controller Delivery Hero SE on a regular basis. In certain situations, we might also share limited data with other group companies, for example, to assist with customer support requests, conduct legal assessments or implement IT and platform security measures.

 

All Delivery Hero Group Companies are bound by strict intra-group data transfer agreements ascertaining compliance with the GDPR’s data processing principles whenever sharing personal data with affiliated companies.

 

b.                   Service providers and data processors

 

We use different service providers for our daily processing activities. Most of these providers process your personal data as so-called “data processors” in accordance with the requirements of Art. 28 GDPR. This means they are permitted to process any personal data only according to our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. We also monitor our processors and include only those who meet our high data protection standards.

 

You have already learned about some of the parties we use as service providers above and can also find information on data recipients in our Cookies, SDKs and Similar Technologies Policy. Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google and Amazon Web Services (AWS). Because we use different data processors and change them from time to time, it is not possible for us to identify all individual recipients of personal data in this Privacy Policy. However, if you are interested, we will be happy to disclose the name of the processor(s) in use at that time upon request.

 

c.                    Third parties

 

In addition to data processors, we also work with third parties, to whom we also transmit your personal data, but who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests. We do not sell or rent your personal data to third parties under any circumstances. This will never take place without your explicit, informed consent.

 

d.                   Prosecuting authorities, courts and other public bodies

 

Unfortunately, it can happen that a few of our customers and service providers do not behave fairly and want to harm us. In these cases, we are not only obliged to hand over personal data to public authorities due to legal obligations, it is also in our interest to prevent damage and to enforce our claims and to reject unjustified claims.

 

7.         International Data Transfers

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers or affiliated companies mentioned above are based outside the EEA in so-called “third countries”. The GDPR has high requirements for the transfer of personal data to such third countries. All our data recipients have to measure up to these requirements.

 

Before we transfer your data to a recipient in a third country, this recipient is first assessed with regard to their data protection level. They will only be chosen if they can demonstrate an adequate level of data protection even outside the territory of the EEA. According to Art. 44 ff. GDPR personal data may be transferred to service providers meeting at least one of the following requirements:

 

-       The European Commission has decided that the third country ensures an adequate level of protection (e.g. Israel and Canada).

-       Standard contractual clauses (also called “standard data protection clauses”) have been incorporated into our contract with the data recipient (including any supplementary measures, if required).

-       Further appropriate safeguards in accordance with Art. 46 GDPR have been provided (for example Binding Corporate Rules).

 

8.         How Long We Store Your Data

We generally delete your personal data after the purpose of their processing has been fulfilled. The exact deletion rules are defined under the points relating to each processing operation. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned regular maximum retention and deletion periods to them. When the retention period has expired, the stored data will be deleted accordingly. If you have not used your user account on our platform for a period of more than three years, we will delete your account to make sure to comply with the principle of storage limitation. Before this happens, you will receive a separate notification from us to the email address registered for your user account.

 

In addition to the deletion rules we have defined ourselves, there are other legal retention periods which we must also observe. For various legal documents, such as invoices or business letters, applicable law defines minimum retention periods. For example, accounting records must be kept for 8 year.

 

Furthermore, we will continue to store your data if we have a right to do so in accordance with Art. 17 (3) GDPR. This applies in particular if we need your personal data for the establishment, exercise or defense of legal claims.

 

However, please be aware that you can also access your data, rectify your data or delete your data by using the automated functions in your user account.

 

9.         Right of Modification

We reserve the right to change this data protection declaration in compliance with the statutory provisions. We will inform you of any significant changes, such as changes of purpose or new purposes of processing.

 

Last updated: 2025.04.28.